Hi, there. In this video, we're going to wrap up the discussion around endpoint policies by taking a look at a demonstration of one, how to create one, as well as then how to apply it to a specific subnet. So, let's jump into the Azure portal. Okay, here we are at the entrance to the Azure portal. And the first thing that I want to show you is what I have in my resource group. So, we have the vnet that we created specifically for applying service endpoints, and we showed that a couple of videos ago. I also have two storage accounts here in the same region. One called storagepoliciesyes, one called storagepoliciesno. Obviously, allowing me to show you very easily which one is going to be allowed and which one is not. 

Now in order to enforce that though, we need to create the service endpoint policy. So, we're going to do that by just clicking on 'Create', and the easiest way to do this is just type 'policy' inside of the search bar. And then right here at the bottom is service endpoint policy. We'll go ahead and click 'Create'. Now, this is pretty straightforward. There is really only two screens that we need to worry about. This first one, specifying our resource group, giving the policy a name. Obviously, we want to go ahead and keep it in the same region as everything else. And then we're going to define the definition. Now, the definition is very simple and straightforward. All we do is we choose a set of resources. 

So, we click on the 'Add a resource' button, we get this blade that pops up. And you'll see here that right now, Microsoft storage is really the only option for us. I presume that over time Microsoft will add additional service endpoint services to this list so that you can do the same thing. But then we pick a scope. Do we want to choose individual storage accounts? Do we want to choose all accounts in a particular resource group, or all accounts in the subscription? And that's going to be very dependent upon how you have set up your resources in your own subscriptions, how you've done your resource organization and management. 

In this case, I'm just going to choose 'Single account'. We're then going to choose the resource group that the storage account is in. Now, it just so happens it's in the same one. And then, we're going to pick the individual storage account. And in this case, you're always choosing storage accounts that are being allowed. So, I want to choose 'storagepoliciesyes'. Right, go ahead and click 'Add'. We now have it here listed under our individual resources. We can also add an alias for specific types of services to be allowed as well. But we're not going to be focusing on any of that in this particular course. We're just going to focus on allowing individual storage accounts. 

Now, as I said, could have very easily added a couple of storage accounts in a separate resource group and done that as well. But just to show how this is done, we'll go ahead and click 'Tags', we go ahead and click 'Review + create'. I wonder, do I want to populate here? For this policy to take effect, you will need to associate it to one or more subnets that have virtual network service endpoints. Please visit a virtual network in East US 2 and then select the subnets to which you would like to associate this policy. So, that is still a secondary step. Just the creation of the policy is not enough. So, let's go ahead and click 'Create'. And then once this is done, we will go into the virtual network and apply this to the subnet. 

And we're good. All right, let's go back and we're going to go directly into the virtual network. We're going to go into the subnets and choose 'subnetendpoints', which is the one that we used in the demonstration a couple of videos ago. Now in this particular subnet, we did set up two different service endpoints, both Microsoft keyVault as well as Microsoft storage, but we didn't apply any policies because we didn't have any. In this case though, we do now. Let me scroll down just to make this a little bit easier to see. And we're going to choose 'storageyes-policy'. All we have to do is click 'Save'. And it's that simple. We have a saved subnet with now a both service endpoint applied as well as a policy. 

Now obviously, you can be much more granular, much more descriptive if you create your own JSONs, like we saw with the example earlier, and apply your service endpoint policies, create and apply your service endpoint policies via the Azure CLI or Azure PowerShell. The Azure portal does not always provide everything that you might want to do from a feature and function perspective. 

In the next video, we'll start to take a look at service tags and how they can be leveraged within the scope of your virtual networks, as well as how they can be used with respect to service endpoints.